Enable WDigest using PowerShell (ps_module)
Rule to detect registry modifications to enable WDigest using powershell script modules.
Sigma rule (View on GitHub)
1title: Enable WDigest using PowerShell (ps_module)
2id: c677394a-1e3e-4ab5-a6a8-295bf0b71137
3description: Rule to detect registry modifications to enable WDigest using powershell script modules.
4status: experimental
5date: 2022-06-05
6author: The DFIR Report
7references:
8 - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
9tags:
10 - attack.defense-evasion
11 - attack.t1112
12logsource:
13 product: windows
14 category: ps_module
15 definition: PowerShell Module Logging must be enabled
16detection:
17 selection:
18 Payload|contains|all:
19 - 'Set-ItemProperty'
20 - 'UseLogonCredential'
21 - 'WDigest'
22 - 'Value'
23 - '1'
24 condition: selection
25falsepositives:
26 - Admin activity
27level: medium
References
-
In this multi-day intrusion, we observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus. The threat actor, discovered files o…
Read More
Related rules
- Enable WDigest using PowerShell
- Enabling RDP service via reg.exe command execution
- NetNTLM Downgrade Attack - Registry
- Non-privileged Usage of Reg or Powershell
- Enable LM Hash Storage